CVE-2020-13671

Warnung

EPSS 12.44%
Veröffentlicht 20.11.2020 16:15:15
Zuletzt bearbeitet 14.03.2025 20:50:29
Quelle mlhess@drupal.org
Teams Watchlist Login
Unerledigt Login

Drupal core does not properly sanitize certain filenames on uploaded files, which can lead to files being interpreted as the incorrect extension and served as the wrong MIME type or executed as PHP for certain hosting configurations. This issue affects: Drupal Drupal Core 9.0 versions prior to 9.0.8, 8.9 versions prior to 8.9.9, 8.8 versions prior to 8.8.11, and 7 versions prior to 7.74.

Betroffene Produkte Warnungen 1 Metriken 4 CWE 1 Referenzen 6

Daten sind bereitgestellt durch National Vulnerability Database (NVD)

Drupal ≫ Drupal Version >= 7.0 < 7.74

Drupal ≫ Drupal Version >= 8.8 < 8.8.11

Drupal ≫ Drupal Version >= 8.9 < 8.9.9

Drupal ≫ Drupal Version >= 9.0 < 9.0.8

Fedoraproject ≫ Fedora Version32

Fedoraproject ≫ Fedora Version33

18.01.2022: CISA Known Exploited Vulnerabilities (KEV) Catalog

Drupal core Un-restricted Upload of File

Schwachstelle

Improper sanitization in the extension file names is present in Drupal core.

Beschreibung

Apply updates per vendor instructions.

Erforderliche Maßnahmen

EPSS Metriken
Typ	Quelle	Score	Percentile
EPSS	FIRST.org	12.44%	0.936

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
nvd@nist.gov	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvd@nist.gov	6.5	8	6.4	AV:N/AC:L/Au:S/C:P/I:P/A:P
134c704f-9b21-4f2e-91b3-4a467353bcc0	8.8	2.8	5.9	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE-434 Unrestricted Upload of File with Dangerous Type

The product allows the upload or transfer of dangerous file types that are automatically processed within its environment.

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/5KSFM672XW3X6BR7TVKRD63SLZGKK437/

Mailing List

Release Notes

https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KWM4CTMEGAC4I2CHYNJVSROY4CVXVEUT/

Mailing List

Release Notes

https://www.drupal.org/sa-core-2020-012

Vendor Advisory

https://nvd.nist.gov/vuln/detail/CVE-2020-13671

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2020-13671

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2020-13671

EUVD